The danger of remote attacks on New Zealand ISPs' servers using the latest exploit in Sendmail is fading as most have either patched their servers or don't use Sendmail at all.
The buffer overflow vulnerability was found in a number of versions of the open source Sendmail Mail Transfer Agent (MTA), ranging from the most recent release of that software to versions that first appeared in the late 1980s.
The vulnerability could allow a remote attacker to gain "root" (super user) access to a Sendmail server, according to the company that discovered the flaw, Internet Security Systems (ISS). ISS estimates Sendmail servers are used for up to 70% of all internet email traffic.
However in New Zealand neither Telecom's ISP Xtra nor TelstraClear, the two largest in the land, use Sendmail.
ICONZ general manager Sean Weekes says his ISP does run two Sendmail servers, and as soon as ICONZ was made aware of the problem it began work immediately patching them.
"We also use Qmail so we can always do some balancing and avoid being 100% exposed to anything." Weekes says the vulnerability is "quite scary when you think about it" because of the potential threat it imposes.
"The responsibility is on service providers to respond very quickly to make sure it doesn't escalate to anything serious."
Attackers who understand the vulnerability could compromise a server by sending an email message with an improperly formatted message header, causing a buffer overflow that would enable the attacker to place and execute their own malicious code on the server.
What makes the new vulnerability particularly pernicious is that attackers would need to know little about the server they were attacking other than its internet address, according to Dan Ingevaldson, team leader of development at ISS.
"It's quite a dangerous vulnerability because an exploit could be contained in the email message itself. The attacker doesn't need to set up an elaborate system to launch the attack. They could just send an email message to a server, and if the server is vulnerable the attack would be launched," says Ingevaldson.
While the vulnerability requires sophisticated knowledge of the Sendmail program to understand and exploit, it could still be quickly leveraged by hackers in the form of a Slammer-like worm, according to Ingevaldson.
Part of the reason for that is that, as an open source product, the Sendmail source code and the new patch code are visible to hackers as well as email server administrators. The recently released patch will immediately flag vulnerable areas of the Sendmail code.
Once the vulnerability is understood and an exploit is developed, it would be easy work to join that exploit to an engine that scans for messaging servers, creating a fast-spreading and dangerous new worm, Ingevaldson says.
Ihug did not immediately return IDGNet calls.